From dc490e0e31eb6157f9f08ba6aa64c38ced7ad35a Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Tue, 1 Mar 2016 08:05:12 -0600
Subject: [PATCH] Update SSLProtocol and SSLCipherSuite

SSLv2 and SSLv3 should never be used. Update the protocol and cipher
suite lines to match the recommendations by the OpenStack Security team.
This includes opt-in to only TLS and strong ciphers.

Change-Id: I25168293cd822b2838252a71890e0c43b5a7b8f0
---
 templates/storyboard_https.vhost.erb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/templates/storyboard_https.vhost.erb b/templates/storyboard_https.vhost.erb
index 2f02a55..ef18af3 100644
--- a/templates/storyboard_https.vhost.erb
+++ b/templates/storyboard_https.vhost.erb
@@ -26,6 +26,9 @@
 
     SSLEngine on
 
+    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+    SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
+
     SSLCertificateFile      <%= scope.lookupvar("storyboard::cert::ssl_cert") %>
     SSLCertificateKeyFile   <%= scope.lookupvar("storyboard::cert::ssl_key") %>
   <% if scope.lookupvar("storyboard::cert::resolved_ssl_ca") != :undef %>